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TITLE OF THE INVENTION 
ENCRYPTION METHOD, DECRYPTION METHOD, 
CRYPTOGRAPHIC COMMUNICATION METHOD 
AND CRYPTOGRAPHIC COMMUNICATION SYSTEM 

BACKGROUND OF THE INVENTION 
The present invention relates to an encryption method of the 
public-key cryptosystem for encrypting a plaintext into a ciphertext 
using a public key, a decryption method of decrypting a ciphertext 
generated by the encryption method into a plaintext, a 
cryptographic communication method and a cryptographic 
communication system using these encryption method and 
decryption method, and a memory product/data signal embodied in 
carrier wave for recording/transmitting an operation program of the 
encryption method. 

In the modern society, called a highly information-oriented 
society, based on a computer network, important business 
documents and image information are transmitted and 
communicated in a form of electronic information. Such electronic 
information can be easily copied, so that it tends to be difficult to 
discriminate its copy and original from each other, thus bringing 
about an important issue of data integrity. In particular, it is 
indispensable for establishment of a highly information oriented 
society to implement such a computer network that meets the 
factors of "sharing of computer resources, " "multi-accessing, " and 



"globalization, " which however includes various factors 
contradicting the problem of data integrity among the parties 
concerned. In an attempt to eliminate those contradictions, 
encrypting technologies which have been mainly used in the past 
military and diplomatic fields in the human history are attracting 
world attention as an effective method for that purpose^. 

A cipher communication is defined as exchanging 
information in such a manner that no one other than the parties 
concerned can understand the meaning of the information. In the 
field of the cipher communication, encryption is defined as 
converting an original text (plaintext) that can be understood by 
anyone into a text (ciphertext) that cannot be understood by the 
third party and decryption is defined as restoring a ciphertext into a 
plaintext, and cryptosystem is defined as the overall processes 
covering both encryption and decryption. The encrypting and 
decrypting processes use secret information called an encryption 
key and a decryption key, respectively. Since the secret decryption 
key is necessary in decryption, only those knowing this decryption 
key can decrypt ciphertexts, thus maintaining data security. 

The encryption scheme is roughly classified into two types: 
common-key cryptosystem and public-key cryptosystem. In a 
common- key cryptosystem, an encryption key and a decryption key 
are identical with each other, and a sender and a recipient perform 
cryptographic communications by possessing an identical common 
key. The sender encrypts a plaintext based on a secret common 



key and transmits the resultant ciphertext to the recipient, and 
then the recipient decrypts the ciphertext into the original plaintext 
by using this common key. 

On the other hand, in a public-key cryptosystem, an 
encryption key and a decryption key are different from each other, 
and cryptographic communications are performed by encrypting a 
plaintext by the sender with the use of a publicized public key of the 
recipient and decrypting the resultant ciphertext by the recipient 
with the use of its own secret key. The public key is a key used for 
encryption and the secret key is a key used for decrypting the 
ciphertext transformed by the public key, and the ciphertext 
transformed by the public key can be decrypted only by the secret 
key. 

As a scheme of public-key cryptosystem, a product-sum type 
cryptoscheme has been known. In this cryptosystem, an entity of 
sender generates a ciphertext C = mi ci + m2,C2 + ... + mK cxby using 
both a plaintext vector m = (mi, m2, dik) obtained by dividing a 
plaintext into K parts and a base vector c = (ci, C2, ck) as public 
key. The other entity of recipient decrypts, the ciphertext C into 
the plaintext vector m by using a secret key thereby to obtain the 
original plaintext. Prior art product-sum type cryptoschemes use 
an operation on an integer ring. 

With regard to such a product-sum type cryptography, 
various new cryptoschemes have been proposed and investigated 
from the viewpoint of security improvement, process time speedup, 



and the like. 

Nevertheless, such a product-sum type cryptography, by 
nature, has a feature of being easily attacked by using a 
mathematical LLL (Lenstra-Lenstra-Lovasz) algorithm which 
decrypts each component of a plaintext vector m from each 
component of a base vector c made public. Thus, the development 
of a product-sum type encryption method resistive to attacks by the 
LLL algorithm has been desired. 

BRIEF SUMMARY OF THE INVENTION 
An object of the present invention is to provide a 
product- sum type encryption method of new scheme resistive to 
attacks by LLL algorithm because of constituting a cryptosystem on 
a finite field, thereby improving the security. 

Another object of the present invention is to provide a 
decryption method of decrypting a ciphertext generated by the 
above-mentioned encryption method into a plaintext, a 
cryptographic communication method and a cryptographic 
communication system using the above-mentioned encryption 
method and decryption method, and a memory product/data signal 
embodied in carrier wave for recording/transmitting an operation 
program of the encryption method. 

In a first aspect of the present invention, secret keys, public 
keys, random numbers, and the like are expressed in a polynomial 
representation, whereby a product-sum type cryptosystem is 
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constituted on a finite field instead of an integer ring. As a result, 
the cryptosystem is more resistive to attacks by LLL algorithm than 
a product-sum type cryptosystem on an integer ring, thereby 
improving the security. 
5 In a second aspect of the present invention, each term of 

intermediate decrypted text is constituted of an error correcting 
code word, whereby the original plaintext can be reproduced 
accurately by the correction capability of the code word even if an 
~ error of a certain extent occurs. 

^ 10 In a third aspect of the present invention, a plurality of 

J"! public keys are previously prepared for each of divided plaintexts 

U1 

Qj obtained by dividing a plaintext. For each of the divided plaintexts, 

p an arbitrary public key is selected from among the prepared 

pj plurality of public keys, whereby a ciphertext is generated by using 

q . 15 the selected public keys. As such, public keys are selective, that is, 
an entity of sender can arbitrarily select the public keys to generate 
a ciphertext. Accordingly, the manner of the public key selection is 
unknown to attackers, which makes attacks difficult thereby to 
improve the security further. 
20 The above and further objects and features of the present 

invention will more fully be apparent from the following detailed 
description with accompanying drawings. 
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BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE 

DRAWINGS 



FIG. 1 is a schematic diagram showing a situation of 
informational communication between two entities in accordance 
with a first embodiment; 

FIG. 2 is a diagram showing a publicfkey list in a database of 
a first example of the first embodiment; 

FIG. 3 is a diagram showing a public key list in a database of 
a second example of the first embodiment; 

FIG. 4 is a schematic diagram showing a situation of 
informational communication between two entities in accordance 
with a second embodiment; and 

FIG. 5 is a diagram showing the configuration of an 
embodiment of a memory product. 

DETAILED DESCRIPTION OF THE INVENTION 
The embodiments of the present invention are described 
below in detail. 

First, the polynomial representation in the present invention 
is explained. The m shown in the following (l) represents a 
message generated by encoding a plaintext M for the purpose of 
class "selection information in the first embodiment described later 
or error correction detection in the second embodiment described 
later. Here, K is the number of division of the plaintext M. 

m = (mi, m2, mic) *"(l) 
Although each component mi (i = 1, 2, K) of the message m is a 
krdimensional vector on a finite field (Galois field) F q , an 



assumption is made herein such that q=2 and ki=k (constant), for 

the simplicity of description. 

As such, the message m is previously encoded. In order to 

emphasize this fact, each component mi of the message m is 

rewritten into mi 1 , and the mi' is expressed by the following (2) with 

mij' ^F2. Further, the component mi is expressed by the following 

(3) in a polynomial representation. 

' m i'= ( m j ( , m i 2 . , m i 1/ ) ■ • • • ( 2 ) 

k - 1 

m i'( X ) = m j + m j 2 X H km j ^ X ■ ■ • ( 3 ) 

Meanwhile, a value A is expressed by a vector s or a 

polynomial s(X) herein, and the vector s and the polynomial s(X) are 

referred to as a vector representation and a polynomial 

representation of A, respectively. 

(First embodiment: arbitrary selection of public keys in a 
product-sum type cryptosystem on a finite field) 

FIG. 1 is a schematic diagram showing a situation that an 
encryption method/decryption method in accordance with the first 
embodiment is used in an informational communication between 
two entities a, b. In the example of FIG. 1, an entity a encrypts a 
plaintext M into a ciphertext C, thereby transmitting the ciphertext 
C through a communication channel 1 to the other entity b. The 
entity b decrypts the ciphertext C into the original plaintext M. 

The entity a of sender comprises^ a plaintext divider 2 
for dividing a plaintext M into a plurality of divided plaintexts; a 
public key selector 5 for selecting a public key for each divided 
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plaintext from a database 10; and an encryptor 3 for generating a 
ciphertext C using the selected public keys and divided plaintexts. 
On the other hand, the entity b of recipient comprises a decryptor 4 
for decrypting the transmitted ciphertext C into the original 
plaintext M. In the first embodiment, secret keys, public keys, 
random numbers, and the like are expressed in a polynomial 
representation as described later, whereby a product-sum type 
cryptosystem is constituted on a finite field. 
[First example of the first embodiment] 

FIG. 2 is a diagram showing a public key list (base list) in 
the database 10 previously storing a plurality of public keys for each 
divided plaintext. In FIG. 2, K is the number of division (number of 
classes) of a plaintext M, and J is the total number of the public 
keys (bases) of selection objectives for each class i (i = 1, 2, K). J 
public keys (bases) are prepared for each divided, plaintext (each 
class) except for the class 1. 

The entity a of sender arbitrarily selects and reads out a key 
(base) for each divided plaintext (each class) from the database 10 
storing such public keys (bases), and then uses the read-out K 
public keys (bases) as encryption keys. Here, the number of the 
possible selection combinations of public keys (bases) allowed for 
the entity a is J K_1 . The existence of the J K_1 combinations of public 
keys (bases) provides grounds for the further security of the first 
embodiment, in addition to the constitution on a finite field. 
(Preparation) 



Some symbols are defined as follows. 

m i* component of message ml m i e F q (q=2 k ) 

ai, £k : random numbers; cti, & ^ F q 

v i- random number vector on F q belonging to class i of public 
key list 

b ^ base b i = ai + jSi X 
(Encryption) 

Secret keys and public keys are prepared as follows. 
•Secret keys: {bi(X)}, {vi(X)}, w(X), P(X), permutation matrix 

P(*) 

•Public keys: { Ci (i> (X)}, F q 

With P(X) being an appropriately selected, secret irreducible 
polynomial, the following (4) is deduced. 

b! (X)b 2 (X) - bi(X)v|^(X)w(X) 

= c (n (X) (mod P(X)). ... (4) 

i" 

The polynomial representation bi(X) b2(X) ... bi_i(X) vi(X) of 
the plurality of public keys of selection objectives shown in FIG. 2 
corresponds to a vector representation bi b2 ... bi_i Vi. 

Encryption is carried out on F q as shown in the following (5). 

C(X) = £ m i 'c (j) (X) ■ • ' (5) 

i =1 ' 

(Decryption) 

By using a secret polynomial w _1 (X) satisfying the following 
(6), an intermediate decrypted text M(X) = C(X) w _1 (X) (mod 
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P(X)) is deduced as shown in the following (7) with i^ j ^ J. 

w(X)w"i(X)= 1 (modP(X)) -(6) 

c{-x)w-Mx) j 

= m/v, (X)+m 2 ' b, (X) v ( 2 j) (X)+ - 1 
+ m K 'b 1 (X)b 2 (X) ••-.b K _ 1 (X)v ( K J, .(X) (modP(X)) 

. • • ' (7) 

After the lowest order term mi' vi (X) of the intermediate 
decrypted text M(X) is decrypted, the subsequent terms can be 
decrypted similarly. 

By using the inverse element vi _1 (X) of vi (X) modulo bi (X), 
the following (8) is deduced. Here, as shown in FIG. 2, the base (vi 
(X)) is uniquely selected in the class 1. 

. M(X) Vl (X)vf 1 (X) = m/ ( mod b^X)) • • • ( 8 ) j 

The encoded component mi of the original plaintext is 
decoded from mi', and the selection information of base (public key) 
in the class 2 is decrypted according to the following (9). 

mi' = j (mod J) - *(9) 

Thus, the selected base (public key bi(X) V2 (j) (X)) in the class 
2 is specified, therefore, m2* can be decrypted in the same manner as 
that for mi'. That is, the m2 f is decrypted according to the following 
(10). The m3 ! to mic' are decrypted similarly. 



■ • • (10)' 

As such, the description of the first example has been made 
for the case that the lowest order term of message of a product-sum 
type ciphertext is first decrypted and that the higher order terms of 
message are then sequentially decrypted. However, the process 
may be reversed such that the highest order term of message is first 
decrypted and that the lower order terms of message are then 
sequentially decrypted. 
[Second example of the first embodiment] 

FIG. 3 is a diagram showing a public key list (base list) in 
the database 10 previously storing a plurality of public keys for each 
divided plaintext. In FIG. 3, K is the number of division (number 
of classes) of a plaintext M, and J is the total number of the public 
keys (bases) of selection objectives for each class i (i = 1, 2, K— 2). 
J public keys (bases) are prepared for each divided plaintext (each 
class) except for the (K— l)-th and the K>th class. 

The entity a of sender arbitrarily selects and reads out a key 
(base) for each divided plaintext (each class) from the database 10 
storing such public keys (bases), and then uses the read-out K 
public keys (bases) as encryption keys. Here, the number of the 
possible selection combinations of public keys (bases) allowed for 



11 



MUl-m/vjtX) 
b,CX) 

= m2V ( 2 ,, (X)+m3 / b 2 (X)v ( 3 i) (X) 



+ ~ + m K 'b 2 (X) - bK^XJv^U) 
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the entity a is J K ~ 2 . 
(Preparation) 

Some symbols are defined as follows. 

m i': component of message m; mi' ^ F q (q=2 k ) 
#0): random numbers; &® e F q 

bi: basebiW(X)= + ft© X 
(Encryption) 

Secret keys and public keys are prepared as follows. 

•Secret keys* {bi(X)}, w(X), P(X), permutation matrix P(*) 

•Public keys: { Cl 0)(X)} 5 F q 
With P(X) being an appropriately selected, secret irreducible 
polynomial, the following (ll) is deduced. 

■ bj j) (X)w (X)X ; - ] s cj J) (X) ( mod P(X)) 

■• - • (11 )- : 

Here, the components of vector a® are randomly located by 
the secret permutation matrix P(*). In FIG. 3, a vector 
representation of bi®Q0 is expressed by bi©. The reason why only 
one base is used in the classes K— 1, K as described above in FIG. 3 
is to achieve a high-speed decryption as described later. 

Encryption is carried out on F q as shown in the following 

(12). 

cm = i m.' c ! j) (xr • • • (12), 

i =1 • I 

(Decryption) 

By using a secret polynomial w~ 1 (X) satisfying the following 
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(13), an intermediate decrypted text M(X) = C(X) w" 1 (X) (mod 
P(X)) is deduced as shown in the following (14) with iSsj ^ J. 

w(X)w"i(X)= 1 (modP(X)) -- ; (13) 

5 C(X)w"MX) 

= m/b/^tX) + m 2 'b 2 (j) (X)X +*•• 

+ m K ' b K (X) X K " 1 *( mod P(X) ) ■ • ■ (14) 

4; When the highest order term juk' of the intermediate 

^ 10 decrypted text M(X) is decrypted, the second highest order term hik 
Sj to the lowest order term mi' can be decrypted similarly. Thus, 

the description herein is made below by focusing on the decryption 
of mK ? . 

Let S 1 (M) generally indicate thejgaeration of sampling the 
q 15 2k digits corresponding to the bases bi_i®, bi®'of a vector M, and let 
the sampled series be expressed by a polynomial SmKX). The series 
Sm k (X) generated by sampling the highest 2k digits of the 
intermediate decrypted text M(X) given by equation (14) is obtained 
by the following (15). Here, eK-i (X) is a polynomial representation 
20 of the highest k digits of the second highest term mK-i'(X) bx-i (X). 

S M K (X)= m K '(X)b K (X)+ e^M • • • (15) 

The above-mentioned ex-i (X) is generally called a postfix. 
The e K-i (X) can be deduced according to the following (16), 
25 whereby the message mx r (X) can be decrypted according to the 



m 
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following (17). 
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' S M K (X)= e K _ r (X) ( mod.. b K (X)) •••(16) 
S M K (X)~ e^X) 

MX) = mK(x) (17) 

As shown in FIG. 3, there is no room for selection in "the 
classes K— 1, K, then the bK-i, are uniquely selected in 
respective classes. While the original information mK is decrypted 
from mK 1 , the selection information of base in the class K— 2 is 
decrypted according to the following (18). More generally, the 
selection information of base in the class i — 2 is obtained using mi' = 
j (mod J). 

m K ' = j (mod J) •■•(18) 
As such, the base selection information of the second next 
class is decrypted. The purpose of this is to prepare the base bi_2^ 
before entering the encryption of SM i_2 (M) given for the class i— 2. 
As a result, the decryption process can be sequentially performed 
without delay. 

The form of the base in the class K— 2 is specified 

according to mK ! =j (mod J), therefore, mK-2 1 can be decrypted in the 
same manner as that for dik'. Further, by rewriting mK.i' as 
shown in the following (19), the mK-i' can be decrypted in the same 
manner as that for hik 1 . The mi' to m K-2 r can be decrypted 
sequentially in descending order by the similar process. 
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M K-i (X )_= M K (X) + m K '(XJb K (X) XK-1 • • • (19) 

In the above-mentioned first example, the decryption process 
of message and the decryption process of base selection information 
can not be performed in parallel. In contrast, in the second 
example, the base selection information of class i — 2 can be obtained 
during the decryption of the i-th message, that is, the decryption 
process of message and the decryption process of base selection 
information can be performed in parallel. More specifically, the 
operation of the above-mentioned (16) in the i-th class and the 
operation of the above-mentioned (17) in the (i — l)"th class can be 
performed in parallel. This is what is called a pipeline processing, 
which permits a much higher- speed decryption processing in the 
second example than in the first example. 

The description of the second example has been made for the 
case that the highest order term of message of a product-sum type 
ciphertext is first decrypted and that the lower order terms of 
message are then sequentially decrypted. However, the process 
may be reversed such that the lowest order term of message is first 
decrypted and that the higher order terms of message are then 
sequentially decrypted. 

Next, the security in the first embodiment described above is 
explained. The j-th public key Ci^(X) in the class i is expressed by 
the following (20). 

c ( , ir (X)- c ( i i ,'+c ( i i 2 ) X+-+ c 0> x k-i ... ( 20): 
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Observing that the message mi in the class i is involved into 
a product independently of each coefficient of the polynomial 
expressed by the above-mentioned (20), the vector (en®, Ci2®, clk^O 
on F q corresponding to the coefficient of the polynomial of the 
above-mentioned (20) can be randomly scrambled in ari appropriate 
order known to the recipient alone but by a permutation common to 
each class. Thus, the designer can save the permutation matrix 
P(*) as a secret key. Accordingly, number-theoretical attacks to 
the public information is practically impossible for 30 or so. 
For example, in the case that k=16 for the k in F q with q=2 k and 
that K=32, the total number of trials necessary to obtain the correct 
order is appropriately 2.6 X 10 35 . 

Let a vector representation of a ciphertext C be the following 
(21), where each component thereof is set as the following (22). 

C="(Ci, C 2 , Ck) •••(21) 

. C,= i mi c^I ■ ■ • • (22). 

- Here, observing that Ci, mi, ci t ® e F q , an attack by LLL 
algorithm is difficult to apply to the above-mentioned (22). Here, J 
^2 is necessary because, otherwise, the above-mentioned (22) is 
decrypted self- evidently by a simple linear transformation. The 
number of the random selections of public keys is JK" 1 (first 
example) and J K ~ 2 (second example); thus, J K_1 >1 and J K ~ 2 >1 are 
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possible. Accordingly, an attack to a public-key cryptography in 
accordance with the first embodiment can be carried out only one by 
one; therefore, this encryption/decryption method is very powerful. 

Meanwhile, the public key size and the encryption key size of 
each entity in accordance with the first embodiment are given as 
follows. 

public key size: J K 2 k bits 

encryption key size of each entity - K 2 k bits 

Since the message has been encoded at the beginning of a 
cryptographic communication, the following condition (23) is 
required according to the above-mentioned conditions (9), (18), and 
hence, the rate (information transmission rate) becomes less than 1. 

J < 2 k •■•(23) 
However, in case that the selected keys are fixed during a 
predetermined time duration or during the data transmission of a 
predetermined amount of data, the above-mentioned condition (23) 
is unnecessary, and hence, the rate becomes approximately 1. 

Specific numerical examples are described below. 
<Numerical example 1> 

In a rather large-scale case of k=16, K=1024, and J=1024, 
the public key size is 2 10 -2 20 -2 4 = 2 34 bits 2.147 Gbytes, and the 
encryption key size of each entity is 2.0 kbytes. 
<Numerical example 2> 

Iii a rather small-scale case of k=8, K=128, and J=128, the 
public key size is 2.097 Mbytes, and the encryption key size of each 
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entity is 16.384 kbytes. 
<Numerical example 3> 

In case of k=16, K=128, and J=128, the public key size is 4.19 
Mbytes, and the encryption key size of each entity is 32.8 kbytes. 
The principal operation for encryption is a product-sum operation of 
128 elements of F q (q=2 16 ) (for example, carried out in seven steps by 
a 128 parallel processing). The principal operations for decryption 
are a multiplicative and divisional operation of a polynomial of 
degree 128 on F q (q=2 16 ) and 128 successive multiplicative and 
divisional operations of a polynomial of degree one on F q (q=2 16 ). 
<Numerical example 4> 

In case of k=8, K=32, and J=16, the public key size is 16.4 
kbytes, and the encryption key size of each entity is 1.02 kbytes. 
The principal operation for encryption is a product- sum operation of 
32 elements of F q (q=2*) (for example, carried out in five steps by a 
32 parallel processing). The principal operations for decryption are 
a multiplicative and divisional operation of a polynomial of degree 
32 on F q (q=2 8 ) and 32 successive multiplicative and divisional 
operations of a polynomial of degree one on F q (q=2«). 

The rate and the improvement thereof in the second example 
are described below. Since the degree of the secret polynomial P(X) 
is K+l, input plaintext length Lm and output ciphertext length Lc 
are given by the following (24) and (25), respectively, and further, 
rate r is given by the following (26). 

Lm = Kk ••■(24) 
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■Lc = (K+l)k-(25) 
r = K/(K+l)-(26) 
Let us consider a condition necessary for the rate r to be 
completely 1. Assume that the bases bi^ } in the class 1 are all 
constant terms alone, that is, bi® = ai^. In this case, the following 
(27) is assumed to be satisfied. Further, vector P(wi®, W2®, 
wk®) is deduced by randomly permutating the components of the 
coefficient vector (wi®, W2 (j) , wk®), and designated to subkeys of 
the class 1 of the public key list. 

a (i) w (X) = w/ j) + w 2 (j) X+ w 3 (j) X 2 + ••• 

+ w^X*" 1 • • • (27) 
Even in this case, as long as K> 1, a trial-and*error attack to 

the P(wi®, W2®, wk®) is still practically impossible. 

Therefore, input plaintext length Lm» output ciphertext 

length Lc, and rate r are given by the following (28), (29), and. (30), 

respectively. 

Lm = K k --(28) 
Lc = K k .-(29) 
r=l.--(30) 

(Second embodiment: a product-sum type cryptography using error 
correcting code on a finite field) 

FIG. 4 is a schematic diagram showing a situation that an 
encryption method/decryption method in accordance with the 
second embodiment is used in an informational communication 
between two entities a, b. Similarly to the FIG. 1, also in the 
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example of FIG. 4, an entity a encrypts a plaintext M into a 
ciphertext C, thereby transmitting the ciphertext C through a 
communication channel 1 to the other entity b. The entity b 
decrypts the ciphertext C into the original plaintext M. 

The entity a of sender comprises: a plaintext divider 2 for 
dividing a plaintext M into a plurality of divided plaintexts; and an 
encryptor 3 for generating a ciphertext C using public keys and 
divided plaintexts. On the other hand, the entity b of recipient 
comprises a decryptor 4 for decrypting the transmitted ciphertext C 
into the original plaintext M. In the second embodiment, similarly 
to the first embodiment, secret keys, public keys, random numbers, 
and the like are expressed in a polynomial representation, whereby 
a product-sum type cryptosy stem is constituted on a finite field. 
(Encryption) 

. Secret keys and public keys are prepared as follows. 
•Secret keys: { X* gi(X)}", w(X), P(X) 
•Public keys: {Ci (X)}, encoding parameters for m 
Let a code polynomial on F2 of degree gi be gi(X). However, 

gi = g (constant) is assumed herein for the simplicity of description. 

With P(X) being an appropriately selected, secret polynomial, the 

following (31) is deduced. Here, ai= a (constant) is assumed 

similarly to the above-mentioned gi. 

X 3i gj(XMX) = Cj(X) ( mod P(X)) • • ■ ( 31 ) 
Encryption is carried out as shown in the following (32). 
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C(X) = 2 mflXlCjlX) ' ■ ■ ( 32 )' 

i =1 

(Decryption) 

[First decryption example of the second embodiment] 

By using a secret polynomial w -1 (X) satisfying the following 
(33), an intermediate decrypted text M(X) is deduced as shown in 
the following (34). More specifically, the intermediate decrypted 
text M(X) is obtained as shown in the following (35). 

w(X)w-!(X)= 1 (mod PCX)) *-*(33) 
MOO - C(X)w-i(X) (mod POO) -(34) 

MIX) = gl (X)m 1 '(X)+g 2 (X)m 2 '(X)X a 

+ - +g K (X)m K '(X)X IK " 1,a • ■ ■ (35) 

In the above, the degree p of the secret polynomial P(X) is set 
to be larger by 1 than the degree of the right-hand side of the 
above-mentioned (35). Then, p satisfies the following condition 
(36). 

p = g + k + (K-l)a+ 1 .--(36) 
Let S a (w) indicate the operation of sampling the lowest n 
digits of the vector w, and let the sampled series be expressed by a 
polynomial S W (X). Then, the following (a), (b) hold. 

(a): In a series uw (X) sampled from the intermediate 
decrypted text M(X) given by the above-mentioned (35), when a < 
g + k = n, the end ei(X) of length (g + k — a) of the second term is in 
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an additional form as shown in the following (37). 

giGO mi(X) + ei(X) X* --(37) 

(b): Let the degree of the end ei(X) be (e — l). Then, in case 
that g ^ e, the ei(X) is correctable as a disappearance error. 

According to (a), (£>), the ei(X) X a (X) can be corrected as 
a disappearance error. Therefore, gi(X) mi(X) can be decrypted, 
whereby mi(X) can be easily decrypted. That is, each term of the 
intermediate decrypted text has a form of product-sum component 
plus noise component. However, since the product-sum component 
is an error correcting code word, the noise component can be 
corrected as an error by the error correction capability thereof, 
whereby the product-sum component can be decrypted purely and 
accurately. The subsequent terms can be decrypted similarly to 
the first term. As such, in the first decryption example, decryption 
is performed sequentially from the lowest order term in ascending 
order. 

[Second decryption example of the second embodiment] 

By using a secret polynomial w _1 (X) satisfying the following 

(38), an intermediate decrypted text M(X) is deduced as shown in 

the following (39). More specifically, the "intermediate decrypted 

text M(X) is obtained as shown in the following (40). 

w (X) w"i (X)- 1 (modP(X)) •••(38) 
M(X) = C(X)w- l O0 (mod POO) -*(39) 

M(X) =g, (X)m{[X)+8 2 tX)m 2 '(X)X a 

.+ - +8k (X)m K '(X)X lK ~ 1)a ■ • • (40) 
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The following (c), (d) hold. 

(c) : In 3. S6ri6S uw (X) sampled from the intermediate 
decrypted text M(X) given by the above-mentioned (40), when a < 
g + k = n, the eK-i(X) of the higher order (g + k — a) digits of the 
second term gK-i(X) niK-i' (X) is in an additional form as shown in 
the following (41). 

gK(X) m K ' (X) + e K -i (X) X* • - (41) 

(d) : Let the degree of the eK-i (X) be (e — l). Then, in case 
that g ^ e, the eic-i (X) is correctable as a disappearance error. 

According to (c), (d), the eK_i (X) (X) can be corrected as 
-a disappearance error. Therefore, gic(X) mK 1 (X) can be decrypted, 
whereby mK* (X) can be easily decrypted. As such, in the second 
decryption example, decryption is performed sequentially from the 
highest order term in descending order. 

Meanwhile, in this second embodiment, similarly to the 
above-mentioned first embodiment, a scheme can be used such that 
public keys are arbitrarily selected. When such a scheme is 
applied to the first example of the first embodiment, let gi(X) belong 
to a class i; J pieces of gi(X) are prepared for each class except for 
the class l; mi is decoded from the mi(X) decrypted in the class IT 
and the public key selection information in the class 2 can be 
obtained similarly. When such a scheme is applied to the second 
example of the first embodiment, let gi(X) belong to a class il J 
pieces of gi(X) are prepared for each class except for the classes K, K 
— l; mK is decoded from the mx(X) decrypted in the class K>" and the 
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public key selection information in the class K— 2 can be obtained 
similarly. 

FIG. 5 is a diagram showing the configuration of an 
embodiment of a memory product in accordance with the present 
invention. The program illustrated here contains an encryption 
process or a decryption process in accordance with the first 
embodiment or the second embodiment described above, and further 
is recorded in a memory product described below. A computer 20 is 
provided in each entity. 

In FIG. 5, a memory product 21 is composed of, for example, 
a server computer on the WWW (World Wide Web) installed apart 
from the installed location of the computer 20. In the memory 
product 21, a program 21a described above is recorded. The 
program 21a read out from the memory product 21 via a 
transmission medium 24 such as a communication line controls the 
computer 20 so as to generate a ciphertext from a plaintext or 
decrypt a ciphertext into a plaintext. 

A memory product 22 provided in the interior of the 
computer 20 is composed of a disk drive, a ROM, or the like built in. 
In the memory product 22, a program 22a described above is 
recorded. The program 22a read out from the memory product 22 
controls the computer 20 so as to generate a ciphertext from a 
plaintext or decrypt a ciphertext into a plaintext. 

A memory product 23 used in the loaded state into a disk 
drive 20a provided in the computer 20 is composed of aP) 
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magneto-optical disk, a CD-ROM, a flexible disk, or the like 
portable. In the memory product 23, a program 23a described 
above is recorded. The program 23a read out from the memory 
product 23 controls the computer 20 so as to generate a ciphertext 
from a plaintext or decrypt a ciphertext into a plaintext. 

As described above, in the present invention, since a 
product-sum type cryptosystem is constituted on a finite field, the 
cryptosystem is more resistive to attacks by LLL algorithm than a 
product-sum type cryptosystem on an integer ring, thereby 
improving the security. 

Further, each term of the intermediate decrypted texts is 
constituted of an error correcting code word, whereby the original 
plaintext can be reproduced accurately by the correction capability 
of the code word even if an error of a certain extent occurs. 

Furthermore, a plurality of public keys are previously 
prepared for each of divided plaintexts generated by dividing a 
plaintext. For each of the divided plaintexts, an arbitrary public 
key is selected from among the prepared plurality of public keys, 
whereby a ciphertext is generated by using the selected public keys 
As a result, one can arbitrarily select the public keys to generate a 
ciphertext. Accordingly, the manner of the public key selection is 
unknown to attackers, which makes attacks difficult thereby to 
improve the security further. 

As this invention may be embodied in several forms without 
departing from the spirit of essential characteristics thereof, the 



26 

present embodiment is therefore illustrative and not restrictive, 
since the scope of the invention is defined by the appended claims 
rather than by the description preceding them, and all changes that 
fall within metes and bounds of the claims, or equivalent of such 
metes and bounds thereof are therefore intended to me embraced by 
the claims. 



